fix: make password options deterministic (#5)

Author: huttotw

README.md

@@ -21,13 +21,13 @@ This module **does not** create a reader role that can be used to view the data.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_database_name"></a> [database\_name](#input\_database\_name) | The name of the Snowflake database to use | `string` | n/a | yes |
-| <a name="input_disable_password"></a> [disable\_password](#input\_disable\_password) | Whether to disable the password for the Snowflake user. If true, the user will only be able to authenticate using the RSA public key. | `bool` | `false` | no |
 | <a name="input_fullstory_cidr_ipv4"></a> [fullstory\_cidr\_ipv4](#input\_fullstory\_cidr\_ipv4) | DEPRECATED: Use fullstory\_cidr\_ipv4s. The CIDR block that Fullstory will use to connect to Snowflake. | `string` | `""` | no |
 | <a name="input_fullstory_cidr_ipv4s"></a> [fullstory\_cidr\_ipv4s](#input\_fullstory\_cidr\_ipv4s) | The CIDR blocks that Fullstory will use to connect to Snowflake. | `list(string)` | `[]` | no |
 | <a name="input_fullstory_data_center"></a> [fullstory\_data\_center](#input\_fullstory\_data\_center) | The data center where your Fullstory account is hosted. Either 'NA1' or 'EU1'. See https://help.fullstory.com/hc/en-us/articles/8901113940375-Fullstory-Data-Residency for more information. | `string` | `"NA1"` | no |
 | <a name="input_fullstory_storage_allowed_locations"></a> [fullstory\_storage\_allowed\_locations](#input\_fullstory\_storage\_allowed\_locations) | The list of allowed locations for the storage provider. This is an advanced option and should only be changed if instructed by Fullstory. Ex. <cloud>://<bucket>/<path>/ | `list(string)` | <pre>[<br>  "gcs://fullstoryapp-warehouse-sync-bundles"<br>]</pre> | no |
 | <a name="input_fullstory_storage_provider"></a> [fullstory\_storage\_provider](#input\_fullstory\_storage\_provider) | The storage provider to use. Either 'S3', 'GCS' or 'AZURE'. This is an advanced option and should only be changed if instructed by Fullstory. | `string` | `"GCS"` | no |
-| <a name="input_password"></a> [password](#input\_password) | The password to use for the Snowflake user. | `string` | `null` | no |
+| <a name="input_manage_password"></a> [manage\_password](#input\_manage\_password) | Whether to create a random password and use it for the Snowflake user. If false and no password or RSA public key is provided, the user will be created without a password. | `bool` | `true` | no |
+| <a name="input_password"></a> [password](#input\_password) | The password to use for the Snowflake user. Use manage\_password=true if you want to generate a random password. | `string` | `null` | no |
 | <a name="input_role_name"></a> [role\_name](#input\_role\_name) | The name of the Snowflake role to create. | `string` | `null` | no |
 | <a name="input_rsa_public_key"></a> [rsa\_public\_key](#input\_rsa\_public\_key) | The RSA public key to use for the Snowflake user. Must be on 1 line without header and trailer. | `string` | `null` | no |
 | <a name="input_rsa_public_key_2"></a> [rsa\_public\_key\_2](#input\_rsa\_public\_key\_2) | The second RSA public key to use for the Snowflake user. Used when rotating keys. Must be on 1 line without header and trailer. | `string` | `null` | no |

main.tf

@@ -44,7 +44,7 @@ resource "snowflake_grant_privileges_to_role" "warehouse" {
 }
 
 resource "random_password" "main" {
-  count            = (var.disable_password || var.password != null) ? 0 : 1
+  count            = var.manage_password ? 1 : 0
   length           = 16
   special          = true
   override_special = "!#$%&*()-_=+[]{}<>:?"
@@ -55,7 +55,7 @@ resource "snowflake_user" "main" {
   name              = "FULLSTORY_WAREHOUSE_SETUP_${local.suffix}"
   default_warehouse = var.warehouse_name
   default_role      = snowflake_role.main.name
-  password          = var.disable_password ? "" : (var.password != null ? var.password : random_password.main[0].result)
+  password          = var.manage_password ? random_password.main[0].result : var.password
   rsa_public_key    = var.rsa_public_key
   rsa_public_key_2  = var.rsa_public_key_2
 }

variables.tf

@@ -17,7 +17,7 @@ variable "stage_name" {
 
 variable "password" {
   type        = string
-  description = "The password to use for the Snowflake user."
+  description = "The password to use for the Snowflake user. Use manage_password=true if you want to generate a random password."
   default     = null
   sensitive   = true
 }
@@ -74,10 +74,10 @@ variable "warehouse_name" {
   description = "The name of the Snowflake warehouse to use."
 }
 
-variable "disable_password" {
+variable "manage_password" {
   type        = bool
-  default     = false
-  description = "Whether to disable the password for the Snowflake user. If true, the user will only be able to authenticate using the RSA public key."
+  default     = true
+  description = "Whether to create a random password and use it for the Snowflake user. If false and no password or RSA public key is provided, the user will be created without a password."
 }
 
 variable "rsa_public_key" {